================================================================== BUG: KASAN: use-after-free in get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline] BUG: KASAN: use-after-free in LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline] BUG: KASAN: use-after-free in LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline] BUG: KASAN: use-after-free in LZ4_decompress_safe_partial+0x102a/0x11a0 lib/lz4/lz4_decompress.c:469 Read of size 2 at addr ffff8880a9100000 by task kworker/u5:2/6499 CPU: 1 PID: 6499 Comm: kworker/u5:2 Not tainted 5.15.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: erofs_unzipd z_erofs_decompressqueue_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline] LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline] LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline] LZ4_decompress_safe_partial+0x102a/0x11a0 lib/lz4/lz4_decompress.c:469 z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:220 [inline] z_erofs_lz4_decompress+0x78c/0x1400 fs/erofs/decompressor.c:288 z_erofs_decompress_pcluster.isra.0+0x1322/0x2250 fs/erofs/zdata.c:975 z_erofs_decompress_queue fs/erofs/zdata.c:1053 [inline] z_erofs_decompressqueue_work+0xe1/0x170 fs/erofs/zdata.c:1064 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the page: page:ffffea0002a44000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0xa9100 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0002a45048 ffffea0002a43708 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x1100cca(GFP_HIGHUSER_MOVABLE), pid 2937, ts 1381727374814, free_ts 1383673084119 prep_new_page mm/page_alloc.c:2426 [inline] get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4155 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5381 alloc_pages_vma+0xf3/0x7d0 mm/mempolicy.c:2152 wp_page_copy+0x1be/0x2450 mm/memory.c:3003 do_wp_page+0x2cb/0x1ae0 mm/memory.c:3313 handle_pte_fault mm/memory.c:4588 [inline] __handle_mm_fault+0x1f12/0x5280 mm/memory.c:4705 handle_mm_fault+0x1c8/0x790 mm/memory.c:4803 do_user_addr_fault+0x489/0x11c0 arch/x86/mm/fault.c:1397 handle_page_fault arch/x86/mm/fault.c:1485 [inline] exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1541 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:568 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1340 [inline] free_pcp_prepare+0x326/0x810 mm/page_alloc.c:1391 free_unref_page_prepare mm/page_alloc.c:3317 [inline] free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3433 release_pages+0x3f4/0x1480 mm/swap.c:970 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline] tlb_flush_mmu_free mm/mmu_gather.c:242 [inline] tlb_flush_mmu mm/mmu_gather.c:249 [inline] tlb_finish_mmu+0x165/0x8c0 mm/mmu_gather.c:340 exit_mmap+0x1ea/0x630 mm/mmap.c:3173 __mmput+0x122/0x4b0 kernel/fork.c:1113 mmput+0x56/0x60 kernel/fork.c:1134 exit_mm kernel/exit.c:507 [inline] do_exit+0xb27/0x2b40 kernel/exit.c:819 do_group_exit+0x125/0x310 kernel/exit.c:929 __do_sys_exit_group kernel/exit.c:940 [inline] __se_sys_exit_group kernel/exit.c:938 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:938 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff8880a90fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880a90fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880a9100000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880a9100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880a9100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================